Skip to content

MCP Security Vulnerabilities #94

Open
Open
MCP Security Vulnerabilities#94
Labels
domain:surfacesAgent UI, Telegram, WhatsApp, Slack/Discord, mobilep1medium prioritysecuritySecurity-sensitive changestrack:consumer-appHermes-competitor consumer product — mobile-first, voice + messaging + memory + skills
Milestone
v0.18.2 — Mobile Surfaces & Integrations [OSS]
@kovtcharov

Description

@kovtcharov
kovtcharov
opened on Sep 28, 2025

RE: #82

Security Scan Results
Security Score: 55/100

Risk Level: high

Scan Date: 2025-08-21

Score starts at 100, deducts points for security issues, and adds points for security best practices

Security Findings
Medium Severity Issues
semgrep: Use of os.system() with dynamic input detected. This can lead to command injection.

Location: src/gaia/llm/lemonade_client.py
Line: 225
semgrep: Use of subprocess with shell=True detected. This can be dangerous if used with untrusted input.

Location: installer/installer_utils.py
Line: 87
... and 16 more medium severity issues

This security assessment was conducted by MSeeP.ai, an independent security validation service for MCP servers. Visit our website to learn more about our security reviews.

Metadata

Metadata

Assignees

No one assigned

    Labels

    domain:surfacesAgent UI, Telegram, WhatsApp, Slack/Discord, mobilep1medium prioritysecuritySecurity-sensitive changestrack:consumer-appHermes-competitor consumer product — mobile-first, voice + messaging + memory + skills

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions